1.5k likes | 1.63k Views
When the Sky is Falling. Network-Scale Mitigation of High-Volume Reflection/Amplification DDoS Attacks. Introduction & Context. Substantial Growth in Largest Attacks. Largest reported attacks ranged from 400Gbps at the top end, through 300Gbps , 200Gbps and 170Gbps
E N D
When the Sky is Falling Network-Scale Mitigation of High-Volume Reflection/Amplification DDoS Attacks
Substantial Growth in Largest Attacks • Largest reported attacks ranged from 400Gbps at the top end, through 300Gbps, 200Gbpsand 170Gbps • Some saw multiple events above 100Gbps but only reported largest
DDoS Attacks in the Wake of French Anti-terror Demonstrations On January 15th, France’s chief information systems defense official, Adm. Arnaud Coustilliere, announced a sharp rise in online attacks against French web sites:
Hong Kong Protest attack 11/20/2014 @ 10:40AM 23,072 views The Largest Cyber Attack In History Has Been Hitting Hong Kong Sites The distributed denial of service (DDoS) attacks have been carried out against independent news site Apple Daily and PopVote, which organised mock chief executive elections for Hong Kong. Now the content delivery network Cloudflare, which protects Apple Daily and PopVote, says the DDoS attacks have been unprecedented in scale, pounding the sites with junk traffic at a remarkable 500 gigabits per second. “We’re seeing over 250 million DNS requests per second, which is probably on par with the total DNS requests for the entire Internet in a normal second,” said Prince.
North Korea Goes Offline- SONY attack 12/22/2014 It was reported earlier today that North Korea was having Internet connectivity issues. Given recent events involving Sony Pictures Entertainment (SPE), these reports are of particular interest. Port Analysis – All attacks on the 18th, 19th and 20th target port 80 – All attacks (except for one) on the 21st and 22nd target port 53 (DNS) from either port 123 or 1900 (indicating NTP or SSDP reflection amplification). – – The one exception, the first attack on the 21st, was from 1900 to 80. Peaks Peak Attack Size (bps) = 5.97 Gbps on 12/20/14 Peak Attack Size (pps) = 1.70 Mpps on 12/20/14 (same attack) Peak Duration: 55m 53s
2014, A Time of Reflection….. • DNS has historically been the ‘leading’ protocol used for reflection amplification • NTP significant throughout 2014 • 93 attacks over 100Gbps, 5 over 200Gbps. • SSDP significant post Q3 • 25K attacks per month in Q4 • Largest at 131Gbps • Other protocols still a concern
ATLAS – Unprecedented Flood of Attacks • Peak monitored attack at 325Gbps, up 32% on last year • Attacks larger than 2013 peak in January, February, August and December 2014 • ATLAS also monitored more than 4x the number of attacks over 100Gbps in 2014, as compared to 2013
2014 ATLAS Initiative : Anonymous Stats, IN, APAC & WW • Contrasting IN and APAC with world-wide data
2014 ATLAS Initiative : Anonymous Stats, IN, APAC & WW • Contrasting IN and APAC with world-wide data • Peak attacks show NTP reflection still prevalence this quarter.
2014 ATLAS Initiative : Anonymous Stats, IN • Other Protocols for Amplification • Given the huge storm of NTP reflection activity, there has been some focus on other protocols that can be used in this way. • Looking at attacks with source-ports of services used for reflection. • DNS has been used by attackers for several years. • Significant growth in attacks with source port 1900 (SSDP) • 462 attacks in Q4 vs 64 in Q3
Reflection/Amplification DDoS Attacks
Evolution of Reflection/Amplification DDoS Attacks • Many varieties of reflection/amplification DDoS attacks have been observed‘in the wild’ for 18 years or more. • Beginning in October of 2013, high-profile NTP reflection/amplification DDoS attacks were launched against various online gamingservices. • With tens of millions of simultaneous users affected, these attacks were reported in the mainstream tech press. • But these attacks aren’t new – the largest observed DDoS attacks are all reflection/amplification attacks, and have been for years. • Reflection/amplification attacks require the ability to spoof the IP address of the intended target. • In most volumetric DDoS attacks, throughput (pps) is more important that bandwidth (bps). In most reflection/amplification DDoS attacks, bps is more important than pps– it fills the pipes!
Components of a Reflection/Amplification DDoS Attack Amplification • Attacker makes a relatively small request that generates a significantly-larger response/reply. This is true of most (not all) server responses. Reflection • Attacker sends spoofed requests to a large number of Internet connected devices, which reply to the requests. Using IP address spoofing, the ‘source’ address is set to the actual target of the attack, where all replies are sent. Many services can be exploited to act as reflectors.
Impact of Reflection/Amplification DDoS Attacks • Servers, services, applications, Internet access, et. al. on the target network overwhelmed and rendered unavailable by sheer traffic volume – tens or hundreds of gb/sec frequent. • Complete saturation of peering links/transit links of the target network. • Total or near-total saturation of peering links/transit links/core links of intermediate networks between the reflectors/amplifiers and the target network – including the networks of direct peers/transit providers of the target network • Widespread collateral damage – packet loss, delays, high latency for Internet traffic of uninvolved parties which simply happens to traverse networks saturated by these attacks. • Unavailabilityof servers/services/applications, Internet access for bystanders topologically proximate to the target network.
Effects of a 300gb/sec Reflection/AmplificationDDoS Attack on Network Capacity Peer A IXP-W Peer B IXP-E Peer D Peer A Peer B Peer C Mobile Infrastructure Video, Music, Gaming etc.) NOC
Effects of a 300gb/sec Reflection/AmplificationDDoS Attack on Network Capacity Peer A IXP-W Peer B IXP-E Peer D Peer A Peer B Peer C Mobile Infrastructure Video, Music, Gaming etc.) NOC
Effects of a 300gb/sec Reflection/AmplificationDDoS Attack on Network Capacity Peer A IXP-W Peer B IXP-E Peer D Peer A Peer B Peer C Mobile Infrastructure Video, Music, Gaming etc.) NOC
Effects of a 300gb/sec Reflection/AmplificationDDoS Attack on Network Capacity Peer A IXP-W Peer B IXP-E Peer D Peer A Peer B Peer C Mobile Infrastructure Video, Music, Gaming etc.) NOC
Effects of a 300gb/sec Reflection/AmplificationDDoS Attack on Network Capacity Peer A IXP-W Peer B IXP-E Peer D Peer A Peer B Peer C Mobile Infrastructure Video, Music, Gaming etc.) NOC
The Two Main Factors Which Make These Attacks Possible • Failure to deploy anti-spoofing mechanisms such as Unicast Reverse-Path Forwarding (uRPF), ACLs, DHCP Snooping & IP Source Guard, Cable IP Source Verify, ACLs, etc. on all edges of ISP and enterprise networks. • Misconfigured, abusable services running on servers, routers, switches, home CPE devices, etc.
The Two Main Factors Which Make These Attacks Possible • Failure to deploy anti-spoofing mechanisms such as Unicast Reverse-Path Forwarding (uRPF), ACLs, DHCP Snooping & IP Source Guard, Cable IP Source Verify, ACLs, etc. on all edges of ISP and enterprise networks. • Misconfigured, abusable services running on servers, routers, switches, home CPE devices, etc.
Additional Contributing Factors • Failure of network operators to utilize flow telemetry(e.g., NetFlow, cflowd/jflow, et. al.) collection and analysis for attack detection/classification/traceback. • Failure of ISPs and enterprises toproactively scan for and remediate abusable services on their networks and to scan for and alert customers/users running abusable services – blocking abusable services until they are remediated, if necessary. • Failure to deploy and effectively utilizeDDoS reaction/mitigation tools such as Source-Based Remotely-Triggered Blackholing (S/RTBH),flowspec, and Intelligent DDoS Mitigation Systems (IDMSes). • Failure to fund and prioritize availabilityequally with confidentiality and integrity in the security sphere. • Failure of many enterprises/ASPs to subscribe to ‘Clean Pipes’ DDoS mitigation services offered by ISPs/MSSPs.
What Types of Devices Are Being Abused? • Consumer broadband customer premise equipment (CPE) devices – e.g., home broadband routers/modems with insecure (and sometimes insecurable!) factor default settings • Commercial-grade provider equipment (PE) devices – e.g., larger, more powerful routers and layer-3 switches used by ISPs and enterprises • Servers (real or virtual) running misconfigured, abusable service daemons – home servers set up by end-users, commercial servers set up by ISPs and enterprises. • Embedded devices like network-connected printers (!), DVRs, et. al. • The Internet of Things is rapidly becoming the Botnet of Things!
Reflection/Amplification Attack Terminology • Attack source – origination point of spoofed attack packets. • Reflector – nodes through which spoofed attack packets are ‘reflected’ to the attack target and/or to a separate amplifier node prior to reflection to the target. • Amplifier – nodes which receives non-spoofed attack packets from reflector nodes and then generate significantly larger response packets, which are sent back to the reflectors. • Reflector/Amplifier – nodes which performs both the reflection and amplification of attack packets, and then transmit the non-spoofed, amplified responses to the ultimate target of the attack. Many (not all) reflection/amplification attacks work this way. • Attack leg – the distinct logical path elements which attack traffic traverses on the way from the attack source to reflectors/amplifiers, and from reflectors/amplifiers to the attack target.
Spoofed vs. Non-spoofed Traffic • Attack source – reflector/amplifier source IP addresses are spoofed. The attacker spoofs the IP address of the ultimate target of the attack. • If separate reflectors and amplifiers are involved, the traffic from the reflector to the amplifier is not spoofed, the traffic from the amplifier back to the reflector is not spoofed, and the traffic from the reflector to the attack target is not spoofed. • If combined reflectors/amplifiers are involved, the traffic from the reflectors/amplifiers to the attack target is not spoofed. • This means that the attack target sees the real IP addresses of the attack traffic pummeling it on the ultimate leg of the attack. • This fact has significant positive implications for the mitigation options available to the attack target – but the sheer number of source IPsis often a complicating factor.
Five Common Reflection/Amplification Vectors • chargen – 30-year-old tool for testing network link integrity and performance. Seldom (ever?) used these days for its original intended purpose. Senselessly, absurdly implemented in the modern age by clueless embedded device vendors. • DNS – the Domain Name System resolves human-friendly names into IP addresses. Part of the ‘control-plane’ of the Internet. No DNS = no Internet. • SNMP – Simple Network Management Protocol. Used to monitor and optionally configure network infrastructure devices, services, etc. • NTP – Network Time Protocol provides timesync services for your routers/switches/laptops/tablets/phones/etc. The most important Internet service you’ve never heard of. • SSDP- Simple Service Discovery protocol, UPNP devices
Reflection/Amplification Isn’t Limited to These five Vectors • Many protocols/services can be leveraged by attackers to launch reflection/amplification DDoS attacks. • These five – DNS, chargen, SNMP, and NTP, SSDP – are the most commonly-observed reflection/amplification vectors. • Most (not all) reflection/amplification attacks utilize UDP. • The same general principles discussed with regards to these five vectors apply to others, as well. • There are protocol-/service-specific differences which also apply. • Attackers are investigating and actively utilizing other reflection/amplification vectors, as well – be prepared!
Characteristics of an NTP Reflection/Amplification Attack • The attacker spoofs the IP address of the target of the attack, sends monlist, showpeers, or other NTP level-6/-7 administrative queries to multiple abusable NTP services running on servers, routers, home CPE devices, etc. • The attacker chooses the UDP port which he’d like to target – typically, UDP/80 or UDP/123, but it can be any port of the attacker’s choice – and uses that as the source port. The destination port is UDP/123. • The NTP services ‘reply’ to the attack target with non-spoofed streams of ~468-byte packets sourced from UDP/123 to the target; the destination port is the source port the attacker chose when generating the NTP monlist/showpeers/etc. queries.
Characteristics of an NTP Reflection/Amplification Attack(cont.) • As these multiple streams of non-spoofed NTP replies converge, the attack volume can be huge – the largest verified attack of this type so far is over 300gb/sec. 100gb/sec attacks are commonplace. • Due to sheer attack volume, the Internet transit bandwidth of the target, along with core bandwidth of the target’s peers/upstreams, as well as the core bandwidth of intermediary networks between the various NTP services being abused and the target, is saturated with non-spoofed attack traffic. • In most attacks, between ~4,000 - ~7,000 abusable NTP services are leveraged by attackers. Up to 50,000 NTP services have been observed in some attacks.
NTP Reflection/Amplification Attack Methodology Abusable NTP Servers Internet-Accessible Servers, Routers, Home CPE devices, etc. 172.19.234.6/32
NTP Reflection/Amplification Attack Methodology Abusable NTP Servers UDP/80 – UDP/123, ~50 bytes/packet Spoofed Source: 172.19.234.6 Destinations: Multiple NTP servers NTP query: monlist 172.19.234.6/32
NTP Reflection/Amplification Attack Methodology Impact Impact Impact Impact Impact Abusable NTP Servers UDP/123 – UDP/80, ~468 bytes/packet Non-Spoofed Sources: Multiple NTP Servers Destination: 172.19.234.6 Reply: Up to 500 packets of monlistreplies 172.19.234.6/32